The ACEs that make up an access list can be configured to detect and drop unauthorized TCP packets by
allowing only the packets that have a very specific group of TCP flags set or not set. The ACL TCP Flags
Filtering feature provides a greater degree of packet-filtering control in the following ways:
•
You can select any desired combination of TCP flags on which to filter TCP packets.
•
You can configure ACEs to allow matching on a flag that is set, as well as on a flag that is not set.
TCP Flags
The table below lists the TCP flags, which are further described in RFC 793, Transmission Control Protocol.
Table 116: TCP Flags
PurposeTCP Flag
Acknowledge flag—Indicates that the acknowledgment field
of a segment specifies the next sequence number the sender
of this segment is expecting to receive.
ACK
Finish flag—Used to clear connections.
FIN
Push flag—Indicates the data in the call should be
immediately pushed through to the receiving user.
PSH
Reset flag—Indicates that the receiver should delete the
connection without further interaction.
RST
Synchronize flag—Used to establish connections.
SYN
Urgent flag—Indicates that the urgent field is meaningful
and must be added to the segment sequence number.
URG
How to Configure ACL Support for Filtering IP Options
Filtering Packets That Contain IP Options
Complete these steps to configure an access list to filter packets that contain IP options and to verify that the
access list has been configured correctly.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1237
How to Configure ACL Support for Filtering IP Options
To Next Page
Loading...
